To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
Because email fraud centers around identity deception—the impersonation of trusted senders— in order to con recipients, we start with the method by which the imposter impersonates the trusted sender’s email account, making it appear as if the emails the imposter is sending are originating from the trusted party.
For more information about the Agari Threat Taxonomy, see www.agari.com/taxonomy
Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an imposter who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
Just nine months before votes are cast in the earliest primary states, the incumbent, his sole Republican challenger, and all but four of the Democratic candidates remain at high risk from phishing attacks against staff, email scams impersonating their campaigns, or both.
While it may seem as if email security is something that can wait until after candidates have clenched their parties’ nominations, that may be wishful thinking. In the aftermath of successful efforts to derail Hillary Clinton’s 2016 presidential bid, the volume and ferocity of email attacks heading into the 2020 elections can only grow worse—and are likely to start earlier than most campaigns would suspect.
It has been nearly three years since Clinton campaign chairman John Podesta received a phony Gmail “account alert” containing a malicious link and resulted in a damaging leak of internal campaign emails. But nearly a full election cycle later, little has changed. While we have seen a small increase in email security over the last quarter, it appears that few candidates have the resources to implement critical defenses for the email channel.
Starting on July 11th, the Federal Election Committee (FEC) began approving requests made by email security solutions providers to implement anti-phishing solutions for campaigns and political parties at discounted prices without violating campaign finance laws. Agari, for instance, is offering campaigns its services at low or no charge in order to ensure that US citizens determine the next president of the United States—not cybercriminals.
Campaigns might want to jump on such offers now. As of June 30, only one candidate has implemented best practices to secure her campaign against email threats targeting campaign staff, donors, and the public. Just three of the remaining twelve top contenders have implemented email authentication to protect against email-based impersonation, and only one has deployed advanced email security solutions to protect campaigns from attacks that can lead to breaches.
The information here was collected on July 10, 2019. For an up-to-date status on top candidates, see www.agari.com/election
While these platform-native security features provide solid protection against malware and malicious links, they don’t stand a chance against today’s most advanced email attack methodologies. In addition to sending malicious links like the kind that fooled John Podesta in 2016, today’s threat actors use sophisticated social engineering tactics to send highly-personalized email messages designed to manipulate recipients into revealing login credentials or other sensitive information by making it appear as if the message was sent by a known and trusted source.
Despite the relative ease of implementing advanced email protection, the Agari Cyber Intelligence Division finds that only two of the top thirteen US presidential candidates with an email-receiving domain or campaign website have implemented a solution to stop advanced threats.
At best, that means campaign staff will hopefully avoid most of the fraudulent “Account Closure Notice,” or “Payment Past Due” alerts aimed at harvesting email logins that give hackers access to archived and ongoing email threads. But how many will recognize email attacks with subject lines reading, “Re:,” or “Quick Request,” or “Following up” from a senior campaign official, an outside polling firm, or a reporter? Or perhaps even from the candidate themselves asking the recipient to pay an outstanding invoice or forward confidential polling data?
Thankfully, these kinds of business email compromise scams, spear phishing attacks, and other email threats can be blocked by adding advanced email security solutions to Gmail or O365.
While most of the US presidential candidates have yet to take such simple steps to protect their campaigns, foreign and domestic adversaries are not going to wait to gain the foothold they need to cause maximum damage in the heat of the general election, no matter who the final nominees may be.
Of the candidates polling over 1% according to tracking data from Real Clear Politics, Massachusetts Senator Elizabeth Warren (D) and Former Massachusetts Governor William Weld (R) continue to be the only candidates to put an advanced security solution in place to protect their staff from incoming email attacks that could crush their presidential ambitions.
The threat cannot be overstated. Over the last year, there has been a 250% increase in phishing attacks targeting organizations operating within cloud-based email environments. And with substantial investments in security, more than 90% of all data breaches start with a well-targeted malicious email. According to the Verizon’s 2019 Data Breach Investigations Report, 36% of external attackers are now affiliated with nation-states, statistically even with organized crime.
Given recent history, it’s safe to assume that cyberattacks against 2020 US presidential candidates will be more aggressive than we’ve seen before, precisely because these attackers continue to move away from content-based techniques and toward identity-based attacks, which many cybersecurity technologies cannot detect.
It’s likely that without advanced email security solutions, the continuously evolving ecosystems of advisors, policy analysts, pollsters, media and advertising experts, and other members of a candidate’s inner circle will be seen as sitting ducks by world-class hackers and others seeking to undermine their campaigns, the 2020 elections, and US democracy itself.
And that’s just the inbound threats. Then there are the other forms of email attacks candidates will face in the year ahead.
During the second quarter of 2019, the campaigns of New Jersey Senator Cory Booker, Hawaii Congresswoman Tulsi Gabbard, and Former Vice President Joe Biden followed Massachusetts Senator Elizabeth Warren’s lead in implementing email authentication using DMARC.
The DMARC protocol helps ensure that only authorized parties can send emails on a candidate’s or campaign’s behalf—thus preventing them from being impersonated in phishing attacks targeting their most important constituencies.
In 2017, the US Department of Homeland Security issued Binding Operational Directive (BOD) 18-01, which requires all executive branch agencies to adopt DMARC with its top enforcement policy of “reject” in order to provide the strongest protection against impersonation-based attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, US citizens and more. Yet while the US executive branch now ranks among the leading industry verticals in DMARC adoption, no such directive has been set for the legislative and judicial branches, much less for campaigns for federal office. Given the stakes, DHS may want to rethink that.
Even with the progress seen during the second quarter, nine of the thirteen candidates for president are not properly utilizing the reject policy within DMARC, leaving them and their donors, voters, and the foreign and domestic press open to phishing attacks and disinformation campaigns.
Factor in emerging “Deep Fake” technologies that enable the production of videos that make a candidate appear to say anything the video creators want, and the threat level could escalate quickly. What kinds of fraudulent statements or mischaracterized policy positions could be attributed to candidates and emailed to rival campaigns, the media, key voters, and others? What if there’s even this kind of video “proof” to substantiate the claims? The damage is likely to spread faster than news media fact checkers can alert voters to the con.
For that matter, what happens when a candidate or campaign is successfully impersonated in fundraising appeals, defrauding existing and prospective donors out of money? What happens when the negative publicity and bot-driven social media maelstrom erupt, making these and other constituents wary of opening a campaign’s legitimate email messages? Today, email marketing has an average $38 ROI for every $1 spent. Failure to protect this all-important fundraising channel can be an instant campaign killer.
Out of all candidates with polling averages above 1%, eight have DMARC records assigned to their domain. These include:
But only four—Biden, Booker, Gabbard, and Warren—have assigned DMARC records with a p=reject policy to stop unauthenticated emails from being delivered.
Due to the fact that a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate remains at risk of email-based impersonation—including the sitting President of the United States.
It is advised that voters, journalists, donors, and others should be wary of any email purporting to come from any candidate domains other than those of Biden, Booker, Gabbard, and Warren. No other candidates have implemented the protocols necessary to keep email scams bearing their names from hitting inboxes. We should all hope this situation is mitigated as quickly as possible—before one of these unprotected candidates becomes a cautionary tale that damages trust in the electoral process.